package morpho.etis.android.sdk.deviceauthenticator.client.keymanagement;

import android.content.Context;
import com.google.common.base.Throwables;
import com.google.common.io.ByteStreams;
import com.google.common.io.Closeables;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.crypto.SecretKey;
import morpho.etis.android.sdk.deviceauthenticator.client.utils.Configuration;
import morpho.etis.android.sdk.deviceauthenticator.client.utils.Utils;
import morpho.etis.deviceauthenticator.exceptions.DeviceAuthenticatorException;

/* loaded from: classes4.dex */
public abstract class BaseKeyManager {
    public static List<Certificate> caCerts = new ArrayList();
    public final Context ctx;
    public final String deviceKeysAlias;
    public PrivateKey devicePrivateKey;
    public PublicKey devicePublicKey;
    public SecretKey encryptionKey;
    public final ArrayList<String> keystoreAliases;
    public final KeyStore ks;
    public Certificate serverCertificate;
    public final String serverCertificateAlias;

    public BaseKeyManager(Context context, String str, KeyStore keyStore) throws DeviceAuthenticatorException {
        if (caCerts.isEmpty()) {
            checkCaCertificate(context);
        }
        this.ctx = context;
        this.ks = keyStore;
        String str2 = str + "server";
        this.serverCertificateAlias = str2;
        String str3 = str + "device";
        this.deviceKeysAlias = str3;
        ArrayList<String> arrayList = new ArrayList<>();
        this.keystoreAliases = arrayList;
        arrayList.add(str3);
        arrayList.add(str2);
    }

    public static synchronized void checkCaCertificate(Context context) throws DeviceAuthenticatorException {
        synchronized (BaseKeyManager.class) {
            if (caCerts.isEmpty()) {
                ArrayList arrayList = new ArrayList();
                InputStream inputStream = null;
                try {
                    try {
                        List<String> listCertsInAssets = listCertsInAssets(context);
                        if (listCertsInAssets.isEmpty()) {
                            throw new DeviceAuthenticatorException("Could not find any root certificate file in assets");
                        }
                        Iterator<String> it = listCertsInAssets.iterator();
                        while (it.hasNext()) {
                            try {
                                inputStream = context.getAssets().open(it.next(), 3);
                                X509Certificate extractCertificate = Utils.extractCertificate(ByteStreams.toByteArray(inputStream));
                                checkCertificate(extractCertificate, extractCertificate, "Service Provider root CA certificate");
                                caCerts.add(extractCertificate);
                            } catch (DeviceAuthenticatorException e) {
                                arrayList.add(e);
                            }
                        }
                        if (caCerts.isEmpty()) {
                            throw new DeviceAuthenticatorException("Could not find any valid root certificate: " + arrayList);
                        }
                    } catch (IOException e2) {
                        throw new DeviceAuthenticatorException(e2);
                    }
                } finally {
                    Closeables.closeQuietly((InputStream) null);
                }
            }
        }
    }

    public static void checkCertificate(Certificate certificate, Certificate certificate2, String str) throws DeviceAuthenticatorException {
        if (!(certificate instanceof X509Certificate)) {
            throw new DeviceAuthenticatorException(str + " unsupported format");
        }
        PublicKey publicKey = certificate.getPublicKey();
        if (!(publicKey instanceof RSAPublicKey)) {
            throw new DeviceAuthenticatorException(str + " key algorithm not supported");
        }
        if (((((RSAPublicKey) publicKey).getModulus().bitLength() + 7) / 8) * 8 < 2048) {
            throw new DeviceAuthenticatorException(str + " public key size too small");
        }
        try {
            certificate.verify(certificate2.getPublicKey());
        } catch (Exception e) {
            Throwables.propagateIfPossible(e);
            throw new DeviceAuthenticatorException(str + " verification error", e);
        }
    }

    public static void checkServerCertificate(Certificate certificate) throws DeviceAuthenticatorException {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i <= caCerts.size() - 1; i++) {
            try {
                checkCertificate(certificate, caCerts.get(i), "Server certificate");
                return;
            } catch (DeviceAuthenticatorException e) {
                arrayList.add(e);
            }
        }
        throw new DeviceAuthenticatorException("no valid certificate found : " + arrayList);
    }

    public static String getFileExt(String str) {
        return str.substring(str.lastIndexOf(".") + 1);
    }

    public static List<String> listCertsInAssets(Context context) throws IOException {
        ArrayList arrayList = new ArrayList();
        for (String str : context.getAssets().list("")) {
            if (str.equalsIgnoreCase(Configuration.CA_FILENAME)) {
                arrayList.add(str);
            } else if (str.equalsIgnoreCase(Configuration.CA_IDEMIA_FOLDER)) {
                for (String str2 : context.getAssets().list(str)) {
                    arrayList.add("sp-ca-certificates/" + str2);
                }
            }
        }
        return arrayList;
    }

    public void checkAndStoreServerCertificate(byte[] bArr) throws DeviceAuthenticatorException {
        X509Certificate extractCertificate = Utils.extractCertificate(bArr);
        checkServerCertificate(extractCertificate);
        storeServerCertificate(extractCertificate);
        this.serverCertificate = extractCertificate;
    }

    public abstract void generateDeviceKeys() throws DeviceAuthenticatorException;

    public abstract AlgorithmParameterSpec getAlgorithmParameterSpec();

    public abstract AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] bArr);

    public abstract void init(boolean z) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException;

    public final void loadKeys() throws DeviceAuthenticatorException {
        try {
            loadKeys(this.keystoreAliases);
        } catch (InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
            throw new DeviceAuthenticatorException(e);
        }
    }

    public void loadKeys(List<String> list) throws NoSuchAlgorithmException, UnrecoverableEntryException, KeyStoreException, InvalidKeyException {
        for (String str : list) {
            if (!this.ks.containsAlias(str)) {
                throw new UnrecoverableEntryException("device authenticator content missing, corrupted data ? alias: " + str);
            }
            KeyStore.Entry entry = this.ks.getEntry(str, null);
            if (entry instanceof KeyStore.TrustedCertificateEntry) {
                this.serverCertificate = ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate();
            } else if (entry instanceof KeyStore.PrivateKeyEntry) {
                KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
                this.devicePublicKey = privateKeyEntry.getCertificate().getPublicKey();
                this.devicePrivateKey = privateKeyEntry.getPrivateKey();
            } else if (entry instanceof KeyStore.SecretKeyEntry) {
                this.encryptionKey = ((KeyStore.SecretKeyEntry) entry).getSecretKey();
            }
        }
        if (this.devicePublicKey == null || this.devicePrivateKey == null || this.serverCertificate == null) {
            throw new UnrecoverableEntryException("missing mandatory keystore element");
        }
    }

    public PrivateKey retrieveDevicePrivateKey() throws DeviceAuthenticatorException {
        if (this.devicePrivateKey == null) {
            loadKeys();
        }
        return this.devicePrivateKey;
    }

    public PublicKey retrieveDevicePublicKey() throws DeviceAuthenticatorException {
        if (this.devicePublicKey == null) {
            loadKeys();
        }
        return this.devicePublicKey;
    }

    public Certificate retrieveServerCertificate() throws DeviceAuthenticatorException {
        if (this.serverCertificate == null) {
            loadKeys();
            checkServerCertificate(this.serverCertificate);
        }
        return this.serverCertificate;
    }

    public PublicKey retrieveServerPublicKey() throws DeviceAuthenticatorException {
        return retrieveServerCertificate().getPublicKey();
    }

    public SecretKey retrieveStorageEncryptionKey() throws DeviceAuthenticatorException {
        if (this.encryptionKey == null) {
            loadKeys();
        }
        return this.encryptionKey;
    }

    public abstract void save() throws DeviceAuthenticatorException;

    public abstract void storeServerCertificate(Certificate certificate) throws DeviceAuthenticatorException;
}
